mcp-hello-world Security Report — Trusted | ClawSafe

0 /100

mcp-hello-world

最小可行 MCP 服务器示例 - 提供 add 和 hello_world 两个工具

标准的 MCP SDK 示例项目，代码功能与文档声明完全一致，无任何恶意行为或隐藏功能

Skill Namemcp-hello-world

Duration32.2s

Enginepi

✓

Safe to install

可直接使用，该项目为教学示例，代码简洁透明

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	无文件读写操作
Network	`NONE`	`NONE`	—	仅使用 stdio 传输，本地运行
Shell	`NONE`	`NONE`	—	start.sh 仅执行 node src/server.js
Environment	`NONE`	`NONE`	—	无环境变量访问
Skill Invoke	`READ`	`READ`	✓ Aligned	通过 MCP 协议调用工具

96 findings

🔗

Medium External URL 外部 URL

https://modelcontextprotocol.io

01-调研报告.md:259

🔗

Medium External URL 外部 URL

https://clawhub.ai/skills/mcp-hello-world

README.md:5

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/@hono/node-server/-/node-server-1.19.11.tgz

package-lock.json:18

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/@modelcontextprotocol/sdk/-/sdk-1.27.1.tgz

package-lock.json:30

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/accepts/-/accepts-2.0.0.tgz

package-lock.json:70

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/ajv/-/ajv-8.18.0.tgz

package-lock.json:83

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/ajv-formats/-/ajv-formats-3.0.1.tgz

package-lock.json:99

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/body-parser/-/body-parser-2.2.2.tgz

package-lock.json:116

🔗

Medium External URL 外部 URL

https://opencollective.com/express

package-lock.json:135

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/bytes/-/bytes-3.1.2.tgz

package-lock.json:140

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz

package-lock.json:149

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/call-bound/-/call-bound-1.0.4.tgz

package-lock.json:162

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/content-disposition/-/content-disposition-1.0.1.tgz

package-lock.json:178

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/content-type/-/content-type-1.0.5.tgz

package-lock.json:191

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/cookie/-/cookie-0.7.2.tgz

package-lock.json:200

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/cookie-signature/-/cookie-signature-1.2.2.tgz

package-lock.json:209

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/cors/-/cors-2.8.6.tgz

package-lock.json:218

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/cross-spawn/-/cross-spawn-7.0.6.tgz

package-lock.json:235

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/debug/-/debug-4.4.3.tgz

package-lock.json:249

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/depd/-/depd-2.0.0.tgz

package-lock.json:266

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/dunder-proto/-/dunder-proto-1.0.1.tgz

package-lock.json:275

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/ee-first/-/ee-first-1.1.1.tgz

package-lock.json:289

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/encodeurl/-/encodeurl-2.0.0.tgz

package-lock.json:295

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/es-define-property/-/es-define-property-1.0.1.tgz

package-lock.json:304

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/es-errors/-/es-errors-1.3.0.tgz

package-lock.json:313

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/es-object-atoms/-/es-object-atoms-1.1.1.tgz

package-lock.json:322

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/escape-html/-/escape-html-1.0.3.tgz

package-lock.json:334

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/etag/-/etag-1.8.1.tgz

package-lock.json:340

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/eventsource/-/eventsource-3.0.7.tgz

package-lock.json:349

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/eventsource-parser/-/eventsource-parser-3.0.6.tgz

package-lock.json:361

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/express/-/express-5.2.1.tgz

package-lock.json:370

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/express-rate-limit/-/express-rate-limit-8.3.1.tgz

package-lock.json:413

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz

package-lock.json:431

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/fast-uri/-/fast-uri-3.1.0.tgz

package-lock.json:437

🔗

Medium External URL 外部 URL

https://opencollective.com/fastify

package-lock.json:446

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/finalhandler/-/finalhandler-2.1.1.tgz

package-lock.json:453

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/forwarded/-/forwarded-0.2.0.tgz

package-lock.json:474

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/fresh/-/fresh-2.0.0.tgz

package-lock.json:483

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/function-bind/-/function-bind-1.1.2.tgz

package-lock.json:492

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/get-intrinsic/-/get-intrinsic-1.3.0.tgz

package-lock.json:501

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/get-proto/-/get-proto-1.0.1.tgz

package-lock.json:525

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/gopd/-/gopd-1.2.0.tgz

package-lock.json:538

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/has-symbols/-/has-symbols-1.1.0.tgz

package-lock.json:550

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/hasown/-/hasown-2.0.2.tgz

package-lock.json:562

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/hono/-/hono-4.12.8.tgz

package-lock.json:574

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/http-errors/-/http-errors-2.0.1.tgz

package-lock.json:583

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/iconv-lite/-/iconv-lite-0.7.2.tgz

package-lock.json:603

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/inherits/-/inherits-2.0.4.tgz

package-lock.json:619

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/ip-address/-/ip-address-10.1.0.tgz

package-lock.json:625

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/ipaddr.js/-/ipaddr.js-1.9.1.tgz

package-lock.json:634

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/is-promise/-/is-promise-4.0.0.tgz

package-lock.json:643

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/isexe/-/isexe-2.0.0.tgz

package-lock.json:649

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/jose/-/jose-6.2.1.tgz

package-lock.json:655

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/json-schema-traverse/-/json-schema-traverse-1.0.0.tgz

package-lock.json:664

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/json-schema-typed/-/json-schema-typed-8.0.2.tgz

package-lock.json:670

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/math-intrinsics/-/math-intrinsics-1.1.0.tgz

package-lock.json:676

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/media-typer/-/media-typer-1.1.0.tgz

package-lock.json:685

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/merge-descriptors/-/merge-descriptors-2.0.0.tgz

package-lock.json:694

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/mime-db/-/mime-db-1.54.0.tgz

package-lock.json:706

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/mime-types/-/mime-types-3.0.2.tgz

package-lock.json:715

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/ms/-/ms-2.1.3.tgz

package-lock.json:731

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/negotiator/-/negotiator-1.0.0.tgz

package-lock.json:737

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/object-assign/-/object-assign-4.1.1.tgz

package-lock.json:746

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/object-inspect/-/object-inspect-1.13.4.tgz

package-lock.json:755

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/on-finished/-/on-finished-2.4.1.tgz

package-lock.json:767

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/once/-/once-1.4.0.tgz

package-lock.json:779

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/parseurl/-/parseurl-1.3.3.tgz

package-lock.json:788

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/path-key/-/path-key-3.1.1.tgz

package-lock.json:797

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/path-to-regexp/-/path-to-regexp-8.3.0.tgz

package-lock.json:806

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/pkce-challenge/-/pkce-challenge-5.0.1.tgz

package-lock.json:816

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/proxy-addr/-/proxy-addr-2.0.7.tgz

package-lock.json:825

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/qs/-/qs-6.15.0.tgz

package-lock.json:838

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/range-parser/-/range-parser-1.2.1.tgz

package-lock.json:853

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/raw-body/-/raw-body-3.0.2.tgz

package-lock.json:862

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/require-from-string/-/require-from-string-2.0.2.tgz

package-lock.json:877

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/router/-/router-2.2.0.tgz

package-lock.json:886

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/safer-buffer/-/safer-buffer-2.1.2.tgz

package-lock.json:902

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/send/-/send-1.2.1.tgz

package-lock.json:908

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/serve-static/-/serve-static-2.2.1.tgz

package-lock.json:934

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/setprototypeof/-/setprototypeof-1.2.0.tgz

package-lock.json:953

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/shebang-command/-/shebang-command-2.0.0.tgz

package-lock.json:959

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/shebang-regex/-/shebang-regex-3.0.0.tgz

package-lock.json:971

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/side-channel/-/side-channel-1.1.0.tgz

package-lock.json:980

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/side-channel-list/-/side-channel-list-1.0.0.tgz

package-lock.json:999

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/side-channel-map/-/side-channel-map-1.0.1.tgz

package-lock.json:1015

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/side-channel-weakmap/-/side-channel-weakmap-1.0.2.tgz

package-lock.json:1033

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/statuses/-/statuses-2.0.2.tgz

package-lock.json:1052

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/toidentifier/-/toidentifier-1.0.1.tgz

package-lock.json:1061

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/type-is/-/type-is-2.0.1.tgz

package-lock.json:1070

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/unpipe/-/unpipe-1.0.0.tgz

package-lock.json:1084

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/vary/-/vary-1.1.2.tgz

package-lock.json:1093

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/which/-/which-2.0.2.tgz

package-lock.json:1102

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/wrappy/-/wrappy-1.0.2.tgz

package-lock.json:1117

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/zod/-/zod-4.3.6.tgz

package-lock.json:1123

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/zod-to-json-schema/-/zod-to-json-schema-3.25.1.tgz

package-lock.json:1132

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com

开发记录.md:29

File Tree

16 files · 92.3 KB · 3506 lines

Markdown 10f · 2035L JSON 2f · 1162L JavaScript 3f · 272L Shell 1f · 37L

├─ ▾ 📁 src

│ ├─ 📜 full-test.js JavaScript 123L · 2.6 KB

│ ├─ 📜 server.js JavaScript 80L · 1.9 KB

│ └─ 📜 test.js JavaScript 69L · 1.6 KB

├─ 📝 01-调研报告.md Markdown 266L · 6.3 KB

├─ 📋 package-lock.json JSON 1140L · 39.6 KB

├─ 📋 package.json JSON 22L · 465 B

├─ 📝 README.md Markdown 141L · 2.6 KB

├─ 📝 SKILL.md Markdown 196L · 5.1 KB

├─ 🔧 start.sh Shell 37L · 834 B

├─ 📝 优化报告-v1.0.1.md Markdown 224L · 6.0 KB

├─ 📝 开发记录.md Markdown 218L · 4.6 KB

├─ 📝 快速参考.md Markdown 86L · 1.4 KB

├─ 📝 第二阶段报告.md Markdown 238L · 5.5 KB

├─ 📝 第四阶段报告.md Markdown 266L · 5.9 KB

├─ 📝 集成测试报告.md Markdown 295L · 5.6 KB

└─ 📝 项目总览.md Markdown 105L · 2.2 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`@modelcontextprotocol/sdk`	`^1.27.1`	npm	No	官方 MCP SDK
`zod`	`^4.3.6`	npm	No	参数验证库，版本锁定

Security Positives

✓ 使用官方 @modelcontextprotocol/sdk，无第三方恶意依赖风险

✓ 代码简洁透明，仅80行核心代码实现声明功能

✓ 功能与文档完全一致，无阴影功能

✓ 无网络请求，无凭证访问，无文件操作

✓ 依赖版本锁定在 package-lock.json 中

Scan Report

File Tree

Dependencies 2 items

Security Positives